After
synchronizing with the vCenter Server, NSX Manager collects the IP addresses of
all vCenter guest virtual machines from VMware Tools on each virtual machine.
NSX does not trust all IP address provided by VMware Tools on a virtual
machine. If a virtual machine has been compromised, the IP address can be
spoofed and malicious transmissions can bypass firewall policies.

SpoofGuard allows you to
authorize the IP addresses reported by VMware Tools, and alter them if
necessary to prevent spoofing. SpoofGuard inherently trusts the MAC addresses
of virtual machines collected from the VMX files and vSphere SDK. Operating
separately from the Firewall rules, you can use SpoofGuard to block traffic
determined to be spoofed.